b'                 AUDIT OF\n\n  COMPLIANCE WITH STANDARDS GOVERNING\n\nCOMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n\n     SAN FRANCISCO POLICE DEPARTMENT\n\n        CRIMINALISTICS LABORATORY\n\n        SAN FRANCISCO, CALIFORNIA\n\n\n\n\n          U.S. Department of Justice\n\n        Office of the Inspector General\n\n                 Audit Division\n\n\n\n         Audit Report GR-90-12-001\n\n                January 2012\n\n\x0c                      AUDIT OF\n\n       COMPLIANCE WITH STANDARDS GOVERNING\n\n     COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n\n          SAN FRANCISCO POLICE DEPARTMENT\n\n             CRIMINALISTICS LABORATORY\n\n             SAN FRANCISCO, CALIFORNIA\n\n\n                            EXECUTIVE SUMMARY\n\n\n      The Department of Justice Office of the Inspector General (OIG), Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the San Francisco Police\nDepartment Criminalistics Laboratory, San Francisco, California (SFPD\nLaboratory).\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS program combines\nforensic science and computer technology to provide an investigative tool to\nfederal, state, and local crime laboratories in the United States, as well as\nthose from select international law enforcement agencies. The CODIS\nprogram allows these crime laboratories to compare and match DNA profiles\nelectronically to assist law enforcement in solving crimes and identifying\nmissing or unidentified persons. 1 The FBI\xe2\x80\x99s CODIS Unit manages CODIS, as\nwell as develops, supports, and provides the program to crime laboratories\nto foster the exchange and comparison of forensic DNA evidence.\n\n      The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. The hierarchy consists of three distinct\nlevels that flow upward from the local level to the state level and then, if\nallowable, the national level. The National DNA Index System (NDIS), the\nhighest level in the hierarchy, contains DNA profiles uploaded by law\nenforcement agencies across the United States and is managed by the FBI.\nNDIS enables the laboratories participating in the CODIS program to\nelectronically compare DNA profiles on a national level. The State DNA\nIndex System is used at the state level to serve as a state\xe2\x80\x99s DNA database\nand contains DNA profiles from local laboratories and state offenders. The\nLocal DNA Index System is used by local laboratories.\n\n       1\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\x0cOIG Audit Objectives\n\n      Our audit generally covered the period from January 2009 through\nDecember 2010. The objectives of our audit were to determine if the:\n(1) SFPD Laboratory was in compliance with the NDIS participation\nrequirements; (2) SFPD Laboratory was in compliance with the Quality\nAssurance Standards (QAS) issued by the FBI; and (3) SFPD Laboratory\xe2\x80\x99s\nforensic DNA profiles in CODIS databases were complete, accurate, and\nallowable for inclusion in NDIS.\n\n       Our review determined the following:\n\n       \xe2\x80\xa2\t The SFPD Laboratory was in compliance with NDIS participation\n          requirements regarding updated training for Laboratory personnel,\n          maintenance of training and qualification records, and timeliness of\n          NDIS matches. However, the Laboratory was not in compliance\n          with NDIS Security Requirements that state server back-ups must\n          be transported off-site on a monthly basis.\n\n       \xe2\x80\xa2\t The SFPD Laboratory was in compliance with the QAS regarding\n          completion of periodic internal and external QAS reviews,\n          implementation of corrective actions presented by internal and\n          external reviews, and retention of evidence. However, the SFPD\n          Laboratory was not in compliance with QAS that require access to\n          the laboratory to be controlled and limited in a manner to prevent\n          access by unauthorized personnel.\n\n       \xe2\x80\xa2\t We reviewed 100 of the SFPD Laboratory\xe2\x80\x99s 935 forensic profiles in\n          NDIS as of December 22, 2010. Of the 100 forensic profiles\n          sampled, we found that 93 profiles were complete, accurate, and\n          allowable for inclusion in NDIS while 7 profiles were unallowable.\n          Specifically, we identified: (1) two profiles that were not allowable\n          for upload because they violated the FBI\xe2\x80\x99s 4x4 rule; (2) three\n          profiles that were not allowable because they were obtained from\n          the suspect\xe2\x80\x99s person or residence; (3) one profile from an item that\n          was not connected to a crime; and (4) one profile that was deemed\n          unallowable because it did not meet the Laboratory\xe2\x80\x99s own minimum\n          eligibility requirement of seven core loci for upload to CODIS. 2 The\n          Laboratory agreed to remove all seven unallowable profiles from\n          NDIS.\n\n\n       2\n          The \xe2\x80\x9c4x4 rule\xe2\x80\x9d, published by the FBI in September 2003, is a reference to Section\n6.4.6 of the NDIS DNA Data Acceptance Standards, which states that forensic mixture DNA\nprofiles submitted to NDIS may have up to four alleles at a maximum of four core loci,\nprovided that the remaining nine core loci have no more than two alleles at each locus.\n\n\n                                           - ii \xc2\xad\n\x0c      We made two recommendations to address the SFPD Laboratory\xe2\x80\x99s\ncompliance with standards governing CODIS activities, which are discussed\nin detail in the Findings and Recommendations section of the report. Our\naudit objectives, scope, and methodology are detailed in Appendix I of the\nreport and the audit criteria are detailed in Appendix II.\n\n      We discussed the results of our audit with SFPD Laboratory officials\nand have included their comments in the report as applicable. In addition,\nwe requested from the SFPD Laboratory and the FBI written responses to a\ndraft of our audit report. We received those responses and they are found in\nAppendices III and IV, respectively.\n\n\n\n\n                                   - iii \xc2\xad\n\x0c                                TABLE OF CONTENTS\n\n\nINTRODUCTION ................................................................................ 1\n\n      Background ...................................................................................1\n\n      OIG Audit Objectives ......................................................................1\n\n      Legal Foundation for CODIS.............................................................2\n\n      CODIS Structure ............................................................................2\n\n      Laboratory Information ...................................................................6\n\n\n\nFINDINGS AND RECOMMENDATIONS................................................ 7\n\nI.\t   Compliance with NDIS Participation Requirements..............................7\n\n         Results of the OIG Audit .............................................................7\n\n         Conclusion .............................................................................. 10\n\n         Recommendation ..................................................................... 11\n\nII.\t Compliance with Quality Assurance Standards ................................. 12\n\n         Results of the OIG Audit ........................................................... 12\n\n         Conclusion .............................................................................. 17\n\n         Recommendation ..................................................................... 17\n\nIII. Suitability of Forensic DNA Profiles in CODIS Databases .................... 18\n\n         Results of the OIG Audit ........................................................... 19\n\n         Conclusion .............................................................................. 23\n\n\nAPPENDICES:\n\nI.    OBJECTIVES, SCOPE, AND METHODOLOGY ............................... 24\n\nII. AUDIT CRITERIA ...................................................................... 27\n\nIII. AUDITEE RESPONSE ..................................................................31\n\nIV. DEPARTMENT OF JUSTICE RESPONSE........................................33\n\nV.\t OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND SUMMARY\n\n         OF ACTIONS NECESSARY TO CLOSE THE REPORT ..................34\n\n\x0c                      AUDIT OF\n\n       COMPLIANCE WITH STANDARDS GOVERNING\n\n     COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n\n          SAN FRANCISCO POLICE DEPARTMENT\n\n             CRIMINALISTICS LABORATORY\n\n             SAN FRANCISCO, CALIFORNIA\n\n\n                                 INTRODUCTION\n\n\n      The Department of Justice Office of the Inspector General (OIG), Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the San Francisco Police\nDepartment Criminalistics Laboratory, San Francisco, California (SFPD\nLaboratory).\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS provides an\ninvestigative tool to federal, state, and local crime laboratories in the United\nStates using forensic science and computer technology. The CODIS program\nallows these laboratories to compare and match DNA profiles electronically,\nthereby assisting law enforcement in solving crimes and identifying missing\nor unidentified persons. 1 The FBI\xe2\x80\x99s CODIS Unit manages CODIS and is\nresponsible for its use in fostering the exchange and comparison of forensic\nDNA evidence.\n\nOIG Audit Objectives\n\n      Our audit generally covered the period from January 2009 through\nDecember 2010. The objectives of our audit were to determine if the:\n(1) SFPD Laboratory was in compliance with the National DNA Index System\n(NDIS) participation requirements; (2) SFPD Laboratory was in compliance\nwith the Quality Assurance Standards (QAS) issued by the FBI; and (3) SFPD\nLaboratory\xe2\x80\x99s forensic DNA profiles in CODIS databases were complete,\naccurate, and allowable for inclusion in NDIS. Appendix I contains a detailed\ndescription of our audit objectives, scope, and methodology; and\nAppendix II contains the criteria used to conduct the audit.\n\n\n       1\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\x0cLegal Foundation for CODIS\n\n      The FBI\xe2\x80\x99s CODIS program began as a pilot project in 1990. The DNA\nIdentification Act of 1994 (Act) authorized the FBI to establish a national\nindex of DNA profiles for law enforcement purposes. The Act, along with\nsubsequent amendments, has been codified in a federal statute (Statute)\nproviding the legal authority to establish and maintain NDIS. 2\n\nAllowable DNA Profiles\n\n      The Statute authorizes NDIS to contain the DNA identification records\nof persons convicted of crimes, persons who have been charged in an\nindictment or information with a crime, and other persons whose DNA\nsamples are collected under applicable legal authorities. Samples voluntarily\nsubmitted solely for elimination purposes are not authorized for inclusion in\nNDIS. The Statute also authorizes NDIS to include analysis of DNA samples\nrecovered from crime scenes or from unidentified human remains, as well as\nthose voluntarily contributed from relatives of missing persons.\n\nAllowable Disclosure of DNA Profiles\n\n       The Statute requires that NDIS only include DNA information that is\nbased on analyses performed by or on behalf of a criminal justice agency \xe2\x80\x93\nor the U.S. Department of Defense \xe2\x80\x93 in accordance with QAS issued by the\nFBI. The DNA information in the index is authorized to be disclosed only:\n(1) to criminal justice agencies for law enforcement identification purposes;\n(2) in judicial proceedings, if otherwise admissible pursuant to applicable\nstatutes or rules; (3) for criminal defense purposes, to a defendant who is\nallowed to have access to samples and analyses performed in connection\nwith the case in which the defendant is charged; or (4) if personally\nidentifiable information (PII) is removed for a population statistics database,\nfor identification research and protocol development purposes, or for quality\ncontrol purposes.\n\nCODIS Structure\n\n       The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. CODIS consists of a hierarchy of three\ndistinct levels: (1) NDIS, managed by the FBI as the nation\xe2\x80\x99s DNA database\ncontaining DNA profiles uploaded by participating states; (2) the State DNA\nIndex System (SDIS) which serves as a state\xe2\x80\x99s DNA database containing\n\n      2\n          42 U.S.C.A. \xc2\xa7 14132 (2006).\n\n\n                                        -2\xc2\xad\n\x0cDNA profiles from local laboratories within the state and state offenders; and\n(3) the Local DNA Index System (LDIS), used by local laboratories. DNA\nprofiles originate at the local level and then flow upward to the state and, if\nallowable, national level. For example, the local laboratory in the Palm\nBeach County, Florida, Sheriff\xe2\x80\x99s Office sends its profiles to the state\nlaboratory in Tallahassee, which then uploads the profiles to NDIS. Each\nstate participating in CODIS has one designated SDIS laboratory. The SDIS\nlaboratory maintains its own database and is responsible for overseeing\nNDIS issues for all CODIS-participating laboratories within the state. The\ngraphic below illustrates how the system hierarchy works.\n\n                 Example of System Hierarchy within CODIS\n\n                                              NDIS\n                                   Maintained by the FBI\n\n\n\n\nSDIS                            SDIS                             SDIS\nLaboratory                      Laboratory                       Laboratory\nRichmond, CA                    Springfield, IL                  Tallahassee, FL\n\n\n\n                                  LDIS Laboratories (partial list):\n                                  DuPage County Sheriff\xe2\x80\x99s Office\n                                  Illinois State Police, Chicago\n                                  Illinois State Police, Rockford\n\n LDIS Laboratories (partial list):                       LDIS Laboratories (partial list):\n Orange County Sheriff\xe2\x80\x99s Department                      Broward County Sheriff\xe2\x80\x99s Office\n San Bernardino County Sheriff\xe2\x80\x99s Department              Miami-Dade Police Department\n San Diego Police Department                             Palm Beach County Sheriff\xe2\x80\x99s Office\n\n\n\n\nNational DNA Index System\n\n       NDIS, the highest level in the CODIS hierarchy, enables laboratories\nparticipating in the CODIS program to electronically compare DNA profiles on\na national level. NDIS does not contain names or other PII about the\nprofiles. Therefore, matches are resolved through a system of laboratory\xc2\xad\nto-laboratory contacts. NDIS contains the following eight searchable\nindices:\n\n\n\n\n                                              -3\xc2\xad\n\x0c       \xe2\x80\xa2\t   Convicted Offender Index contains profiles generated from persons\n            convicted of qualifying offenses. 3\n\n       \xe2\x80\xa2\t   Arrestee Index is comprised of profiles developed from persons who\n            have been arrested, indicted, or charged in an information with a\n            crime.\n\n       \xe2\x80\xa2\t   Legal Index consists of profiles that are produced from DNA\n            samples collected from persons under other applicable legal\n            authorities. 4\n\n       \xe2\x80\xa2\t   Detainee Index contains profiles from non-U.S. persons detained\n            under the authority of the U.S. and required by law to provide a\n            DNA sample for analysis and entry into NDIS.\n\n       \xe2\x80\xa2\t   Forensic Index profiles originate from, and are associated with,\n            evidence found at crime scenes.\n\n       \xe2\x80\xa2\t   Missing Person Index contains known DNA profiles of missing\n            persons and deduced missing persons.\n\n       \xe2\x80\xa2\t   Unidentified Human (Remains) Index holds profiles from\n            unidentified living individuals and the remains of unidentified\n            deceased individuals. 5\n\n       \xe2\x80\xa2\t   Relatives of Missing Person Index is comprised of DNA profiles\n            generated from the biological relatives of individuals reported\n            missing.\n\n      Given these multiple databases, the main functions of CODIS are to:\n(1) generate investigative leads that may help in solving crimes and\n(2) identify missing and unidentified persons.\n\n      The Forensic Index generates investigative leads in CODIS that may\nhelp solve crimes. Investigative leads may be generated through matches\nbetween the Forensic Index and other indices in the system, including the\n\n       3\n          The phrase \xe2\x80\x9cqualifying offenses\xe2\x80\x9d refers to local, state, or federal crimes that\nrequire a person to provide a DNA sample in accordance with applicable laws.\n       4\n         An example of a Legal Index profile is one from a person found not guilty by\nreason of insanity who is required by the relevant state law to provide a DNA sample.\n       5\n           An example of an Unidentified Human (Remains) Index profile from a living person\nis a profile from a child or other individual, who cannot or refuses to identify themselves.\n\n\n                                             -4\xc2\xad\n\x0cConvicted Offender, Arrestee, and Legal Indices. These matches may\nprovide investigators with the identity of suspected perpetrators. CODIS\nalso links crime scenes through matches between Forensic Index profiles,\npotentially identifying serial offenders.\n\n       In addition to generating investigative leads, CODIS furthers the\nobjectives of the FBI\xe2\x80\x99s National Missing Person DNA Database program\nthrough its ability to identify missing and unidentified individuals. For\ninstance, those persons may be identified through matches between the\nprofiles in the Missing Person Index and the Unidentified Human (Remains)\nIndex. In addition, the profiles within the Missing Person and Unidentified\nHuman (Remains) Indices may be vetted against the Forensic, Convicted\nOffender, Arrestee, Detainee, and Legal Indices to provide investigators with\nleads in solving missing and unidentified person cases.\n\nState and Local DNA Index Systems\n\n       The FBI provides CODIS software free of charge to any state or local\nlaw enforcement laboratory performing DNA analysis. Laboratories are able\nto use the CODIS software to upload profiles to NDIS. However, before a\nlaboratory is allowed to participate at the national level and upload DNA\nprofiles to NDIS, a Memorandum of Understanding (MOU) must be signed\nbetween the FBI and the applicable state\xe2\x80\x99s SDIS laboratory. The MOU\ndefines the responsibilities of each party, includes a sublicense for the use of\nCODIS software, and delineates the standards laboratories must meet in\norder to utilize NDIS. Although officials from LDIS laboratories do not sign\nan MOU, LDIS laboratories that upload DNA profiles to an SDIS laboratory\nare required to adhere to the MOU signed by the SDIS laboratory.\n\n       States are authorized to upload DNA profiles to NDIS based on local,\nstate, and federal laws, as well as NDIS regulations. However, states or\nlocalities may maintain NDIS-restricted profiles in SDIS or LDIS. For\ninstance, a local law may allow for the collection and maintenance of a\nvictim profile at LDIS but NDIS regulations do not authorize the upload of\nthat profile to the national level.\n\n       CODIS becomes more useful as the quantity of DNA profiles in the\nsystem increases because the potential for additional leads rises. However,\nthe utility of CODIS relies upon the completeness, accuracy, and quantity of\nprofiles that laboratories upload to the system. Incomplete CODIS profiles\nare those for which the required number of core loci were not tested or do\nnot contain all of the DNA information that resulted from a DNA analysis and\n\n\n\n\n                                     -5\xc2\xad\n\x0cmay not be searched at NDIS. 6 The probability of a false match among DNA\nprofiles is reduced as the completeness of a profile increases. Inaccurate\nprofiles, which contain incorrect DNA information or an incorrect specimen\nnumber, may generate false positive leads, false negative comparisons, or\nlead to the misidentification of a sample. Further, laws and regulations\nexclude certain types of profiles from being uploaded to CODIS to prevent\nviolations to an individual\xe2\x80\x99s privacy and foster the public\xe2\x80\x99s confidence in\nCODIS. Therefore, it is the responsibility of the Laboratory to ensure that it\nis adhering to the NDIS participation requirements and the profiles uploaded\nto CODIS are complete, accurate, and allowable for inclusion in NDIS.\n\nLaboratory Information\n\n      The SFPD Laboratory serves the City and County of San Francisco,\nCalifornia, which has a population of approximately 800,000. In addition, it\nprovides services to the United States Park Police, which has law\nenforcement responsibilities within select areas of San Francisco. 7 The SFPD\nLaboratory participates in the CODIS program as an LDIS Laboratory. In\n2000, the SFPD Laboratory began analyzing DNA as a means of processing\nevidence in criminal cases and in 2003 it began uploading forensic profiles\ninto NDIS.\n\n      The SFPD Laboratory was first accredited by the American Society of\nCrime Laboratory Directors/Laboratory Accreditation Board (ASCLD/LAB) in\n2005 and was reaccredited in February 2010 for a period of 5 years. In\nAugust 2010, the SFPD Laboratory began utilizing the services of an outside\nlaboratory, the Serological Research Institute, to analyze some of the SFPD\nLaboratory\xe2\x80\x99s DNA samples from less violent cases in order to reduce its\nbacklog.\n\n\n\n\n       6\n           A \xe2\x80\x9clocus\xe2\x80\x9d is a specific location on a chromosome. The plural form of locus is loci.\n       7\n          The United States Park Police has law enforcement responsibilities in areas\ncontrolled by the U.S. Department of the Interior, National Park Services and that are\nlocated within the City and County of San Francisco. This includes the Golden Gate National\nRecreation Area and such areas as the Presidio, the Aquatic Park Historic District, Ocean\nBeach, and many other parks and monuments. The SFPD Laboratory estimates that it\nperforms DNA analysis on 5 to 8 cases each year for the United States Park Police.\n\n\n                                              -6\xc2\xad\n\x0c               FINDINGS AND RECOMMENDATIONS\n\n      I.   Compliance with NDIS Participation Requirements\n\n           The SFPD Laboratory was in compliance with NDIS\n           participation requirements regarding updated training\n           for Laboratory personnel, maintenance of training and\n           qualification records for CODIS users, and timeliness\n           of NDIS matches. We found that the SFPD Laboratory\n           did not transfer back-ups of the CODIS server off-site\n           on a monthly basis.\n\n      The NDIS participation requirements, which consist of the MOU and\nthe NDIS Procedure Manual, establish the responsibilities and obligations of\nlaboratories that participate in the CODIS program at the national level. The\nMOU describes the CODIS-related responsibilities of both the SFPD\nLaboratory and the FBI. The NDIS Procedure Manual is comprised of the\nNDIS operational procedures and provides detailed instructions for\nlaboratories to follow when performing certain procedures pertinent to NDIS.\nThe NDIS participation requirements we reviewed are included in\nAppendix II of this report.\n\nResults of the OIG Audit\n\n       We found that the SFPD Laboratory did not comply with the NDIS\nparticipation requirements because it did not back up its CODIS server on a\nweekly basis and transport backed up CODIS data to an off-site location on a\nmonthly basis. We describe this in more detail below.\n\nServer Back-Ups\n\n      The NDIS Security Requirements state that laboratories participating\nin NDIS are responsible for backing up local CODIS data on at least a weekly\nbasis. Further, the same laboratories must store CODIS back-up media at a\nsecure, off-site location on at least a monthly basis. We found that the SFPD\nLaboratory did not back up its CODIS data in full accordance with NDIS\nrequirements. The SFPD Laboratory\xe2\x80\x99s CODIS Administrator explained that\nsince 2003, the SFPD Laboratory had been backing up its CODIS data and\nstoring it at an off-site facility on a quarterly basis. SFPD Laboratory officials\nconsidered this process to be acceptable because the Laboratory was also\nuploading its forensic profiles to California\xe2\x80\x99s SDIS laboratory on a weekly\nbasis and SFPD Laboratory officials regarded the weekly uploads as being\nsimilar to locally backing up its CODIS data.\n\n\n\n                                      -7\xc2\xad\n\x0c       The SFPD Laboratory deviated from the NDIS Security Requirements\nregarding its CODIS back-up procedures. First, information provided to us\nduring our site work at the Laboratory indicated it was not backing up its\nCODIS data every week as required. 8 Second, it was not storing its CODIS\ndatabase back-ups at an off-site location on a monthly basis as required.\nThese deviations are a concern, especially based upon our observation that\npersonnel that are not part of the DNA Analysis Unit were able to have\nphysical access to the CODIS server. Further, SFPD\xe2\x80\x99s reliance on its weekly\nupload to the California SDIS laboratory cannot be considered proper data\nmanagement practice because it shifts responsibility for properly backing up\nlocal CODIS data from the SFPD to another laboratory. We believe that\nthese deficiencies pose a significant risk in that the SFPD Laboratory\xe2\x80\x99s\nCODIS server will not be reloaded with the most up-to-date data in the\nevent of a natural disaster, accidental error, system crash, or any type of\nphysical tampering or disturbance. Therefore, we recommend that the FBI\nwork with the SFPD Laboratory to establish procedures that would ensure\nthat the SFPD\xe2\x80\x99s CODIS server is backed up at least once a week and that\nback-ups are stored off-site on at least a monthly basis.\n\n       Besides this issue stated above, we had no other significant concerns\nrelated to the SFPD Laboratory\xe2\x80\x99s compliance with the other NDIS\nparticipation requirements we reviewed. The results of our audit are\ndescribed in more detail below:\n\n      \xe2\x80\xa2\t The NDIS General Responsibilities Operational Procedures manual\n         requires that participating laboratories ensure that CODIS users are\n         notified of and provided access to revised NDIS Operational\n         Procedures and other documentation necessary to properly\n         participate in NDIS. The SFPD Laboratory\xe2\x80\x99s CODIS Administrator\n         stated that the Laboratory provides its personnel with copies of the\n         NDIS procedure manual, in addition to its availability on the FBI\xe2\x80\x99s\n         Criminal Justice Information System\xe2\x80\x94Wide Area Network. The\n         SFPD Laboratory\xe2\x80\x99s CODIS Administrator stated that she also\n         provides verbal guidance and informational updates to CODIS users\n         at the SFPD Laboratory when needed. Finally, we selected two of\n         the six CODIS users to interview and determined that both users\n         understood NDIS procedures and could access the procedures if\n         needed.\n\n\n\n      8\n          The SFPD\xe2\x80\x99s response to our draft audit report stated that the SFPD Laboratory\xe2\x80\x99s\nprocedures for backing up its CODIS server and related data included performing back-ups\non a daily basis using a software program. We are working with the SFPD Laboratory and\nthe FBI to confirm this information.\n\n\n                                          -8\xc2\xad\n\x0c\xe2\x80\xa2\t The NDIS Security Requirements state that the CODIS server and\n   equipment and hardware shall be electronically safeguarded from\n   unauthorized use and be only accessible to a limited number of\n   approved personnel. We found that only a limited number of\n   CODIS users within the SFPD Laboratory have access to CODIS\n   through the FBI\xe2\x80\x99s Criminal Justice Information System\xe2\x80\x94Wide Area\n   Network. This access is further limited to one computer\n   workstation. We observed that all SFPD Laboratory CODIS users\n   have their own CODIS accounts, unique passwords, and must\n   undergo annual CODIS training. Moreover, the SFPD Laboratory\xe2\x80\x99s\n   in-house policy limits access to the CODIS database to only the\n   CODIS Administrator and her alternate. Other SFPD CODIS users\n   utilize the single computer workstation that has access to CODIS in\n   order to participate in annual online CODIS training.\n\n\xe2\x80\xa2\t The NDIS Security Requirements state that only authorized\n   personnel shall have physical access to the CODIS server, and that\n   maintaining the server in a separate room of the laboratory or in\n   another locked space or cabinet is not required provided access to\n   the CODIS server is controlled in accordance with the requirements\n   of this procedure. We learned that the CODIS server has been\n   stored in a limited-entry unit of the SFPD Laboratory space since\n   2003. Access to this unit is currently limited to seven laboratory\n   personnel and staff who hold supervisory positions within the\n   Laboratory. We observed the location and accessibility of the\n   CODIS server and found it to be in compliance with NDIS Security\n   Requirements.\n\n\xe2\x80\xa2\t SFPD Laboratory CODIS users are required to complete annual DNA\n   Records Acceptance training. The FBI provided to us a list of SFPD\n   Laboratory personnel who had received this mandatory annual\n   training, which we compared to a list provided by the Laboratory.\n   We found that all authorized personnel have successfully completed\n   the annual training.\n\n\xe2\x80\xa2\t For each CODIS user, the FBI requires that a participating\n   laboratory submit fingerprint cards, background information, CODIS\n   user information, and other appropriate documentation to the FBI.\n   We verified that all necessary documents were provided to the FBI\n   for all six SFPD Laboratory CODIS users.\n\n\xe2\x80\xa2\t At the time of our audit, the NDIS General Responsibilities\n   Operational Procedures manual required participating laboratories\n   to maintain records of CODIS users, including reports concerning\n\n\n                              -9\xc2\xad\n\x0c        proficiency testing, and any other reports or audits required by the\n        FBI, for a period of 10 years. We determined that SFPD Laboratory\n        maintained personnel files for its CODIS users indefinitely, which is\n        in accordance with its in-house policy requirement and in\n        compliance with the 10-year retention requirement that was in the\n        NDIS Operational Procedures.\n\n     \xe2\x80\xa2\t The NDIS Interstate Candidate Match Operational Procedures\n        defines procedures for participating laboratories to follow when\n        confirming matches that are identified in the CODIS system. We\n        reviewed a sample of five NDIS matches and determined that each\n        match was generally confirmed and, when applicable, investigators\n        were notified in a timely manner. Specifically, we found:\n\n        o\t The SFPD Laboratory sent confirmation requests in a timely\n           manner for all five matches;\n\n        o\t Confirmation generally took place within 30 days after the SFPD\n           Laboratory\xe2\x80\x99s request was sent out for four of the five matches.\n           For the one late match confirmation, the process took 66 days\n           because another laboratory did not confirm the match submitted\n           by the SFPD Laboratory in a timely manner;\n\n        o\t The SFPD Laboratory notified investigators of match confirmation\n           in a timely manner for all five matches.\n\n     \xe2\x80\xa2\t The NDIS operational procedure entitled Review of External Audits\n        requires that an external quality assurance review be forwarded to\n        the FBI\xe2\x80\x99s NDIS Custodian within 30 days of the participating\n        laboratory\xe2\x80\x99s receipt of the report. We reviewed the submission of\n        the most recent external review and found that the report was\n        submitted to the FBI\xe2\x80\x99s NDIS Custodian in a timely manner.\n\nConclusion\n\n     We found that the SFPD Laboratory did not store CODIS server\nback-ups at an off-site location, other than the NDIS Participating\nLaboratory, on a monthly basis.\n\n\n\n\n                                   - 10 \xc2\xad\n\x0cRecommendation\n\n    We recommend that the FBI:\n\n    1.\t Work with the SFPD Laboratory to establish procedures to ensure\n        back-ups of its CODIS server are performed at least once a week\n        and those back-ups are maintained at an off-site location at least\n        on a monthly basis.\n\n\n\n\n                                 - 11 \xc2\xad\n\x0c       II. Compliance with Quality Assurance Standards\n\n            We found that the SFPD Laboratory complied with the\n            QAS issued by the FBI regarding the performance of\n            QAS reviews within designated timeframes, and the\n            proper monitoring of its subcontractors to ensure data\n            integrity. 9 However, we also found that security at\n            the SFPD Laboratory did not fully meet Forensic QAS\n            that outline personnel access to the DNA Analysis\n            Unit.\n\n       During our audit, we considered the Forensic QAS issued by the FBI. 10\nThese standards describe the quality assurance requirements that the SFPD\nLaboratory was required to adhere to in order to ensure its data met quality\nand integrity standards. We also assessed the two most recent QAS reviews\nthat were conducted of the SFPD Laboratory. The QAS we reviewed are\nlisted in Appendix II.\n\nResults of the OIG Audit\n\n      We noted one exception to the SFPD Laboratory\xe2\x80\x99s compliance with\nForensic QAS. Specifically, we found that the SFPD Laboratory did not\nadhere to the Forensic QAS that requires access to the laboratory to be\ncontrolled and limited in a manner to prevent access by unauthorized\npersonnel. The results of our audit are described in more detail below.\n\nControlled and Limited Access to the Laboratory\n\n       During our audit, we observed the SFPD Laboratory\xe2\x80\x99s security\nmeasures for limiting entry and access into its facility, and more specifically\ninto its DNA Analysis Unit, to only include authorized personnel. We\nidentified security measures, such as key locks and combination touch pads,\nwhich the SFPD Laboratory has in place to secure access to its building from\nthe outside. The SFPD Laboratory staff members told us that the interior\n\n       9\n          The QAS requires that laboratories undergo annual audits. Every other year, the\nQAS requires that the audit be performed by an external agency that performs DNA\nidentification analysis and is independent of the laboratory being reviewed. These audits\nare not required by the QAS to be performed in accordance with the Government Auditing\nStandards (GAS) and are not performed by the Department of Justice Office of the\nInspector General. Therefore, we will refer to the QAS audits as reviews (either an internal\nlaboratory review or an external laboratory review, as applicable) to avoid confusion with\nour audits that are conducted in accordance with GAS.\n       10\n          Forensic Quality Assurance Standards refer to the Quality Assurance Standards for\nForensic DNA Testing Laboratories, effective July 1, 2009.\n\n\n                                          - 12 \xc2\xad\n\x0cdoors within the SFPD Laboratory leading into the DNA Analysis Unit were\naccessible to all laboratory personnel and were not limited to just the staff\nmembers that were assigned to the DNA Analysis Unit.\n\n       We observed that the door between the Firearms Unit and the DNA\nAnalysis Unit was propped open, along with another open door from the\nFirearms Unit to an unlocked corridor within the SFPD Laboratory. 11 This\ncorridor led to the front lobby of the building, to the garage that housed the\nSan Francisco Police Department (SFPD) vehicle fleet, and one of the SFPD\nLaboratory\xe2\x80\x99s secure evidence areas. We observed Laboratory staff working\nin the Firearms and DNA Analysis Units while these doors were propped\nopen. SFPD Laboratory management explained that the series of open doors\nwas an infrequent occurrence and that the doors were kept open in an\nattempt to equalize the temperatures between the spaces occupied by the\nFirearms Unit and DNA Analysis Unit. However, we are concerned that\nvisitors or personnel with limited access to the SFPD Laboratory\xe2\x80\x99s facilities or\ngarage area could gain unauthorized access to the DNA Analysis Unit\nthrough propped open doors and the unlocked corridor. This vulnerability is\ncompounded in those instances where there may not be SFPD Laboratory\nstaff present to prevent unauthorized personnel from entering the secured\nDNA Analysis Unit.\n\n       Further, we learned that other SFPD units, not related to the SFPD\nLaboratory, periodically use space within the SFPD Laboratory for law\nenforcement training courses attended by non-Laboratory personnel. The\nSFPD Laboratory\xe2\x80\x99s Quality Assurance Manager did not feel these trainings\nwere a security concern for the SFPD Laboratory and explained that the foot\ntraffic within the Laboratory is monitored and that attendees are escorted\nupstairs and through other areas of the building. However, we believe that\nthe presence of regular visitors in the facility increases the risk of\nunauthorized access to the DNA Analysis Unit, and thereby underscores the\nneed to maintain adequate security of the Laboratory. We do not believe\nthat SFPD Laboratory is in compliance with the Forensic QAS that states that\n\n       11\n           According to the September 2010 ASCLD/LAB Interim Inspection Report,\nASCLD/LAB inspectors visited the SFPD Laboratory in August 2010 to investigate concerns\nabout the Laboratory, including allegations of possible unrestricted access that were raised\nin an anonymous letter. According to the report the SFPD Quality Assurance Manager\nstated that prior to November 2009 she observed doors to the building and Laboratory\nsecure areas being propped open, but that this practice stopped after the SFPD Laboratory\ninstalled a proximity card access system. The September 2010 report concluded that the\nASCLD/LAB inspectors did not observe any doors being propped open and that the SFPD\nLaboratory was meeting ASCLD/LAB\xe2\x80\x99s security requirements.\n\n       ASCLD/LAB, Interim Inspection Report San Francisco Police Department\nCriminalistics Laboratory (September 2010), 1-3.\n\n\n                                           - 13 \xc2\xad\n\x0caccess should be controlled and limited in a manner to prevent access by\nunauthorized personnel. We recommend that the FBI work with the SFPD\nLaboratory to enhance security for the DNA Laboratory.\n\n      We found that the SFPD Laboratory complied with the other NDIS QAS\nthat we reviewed, as described below:\n\n     \xe2\x80\xa2\t The QAS requires laboratories to undergo an annual review,\n        including an external review every 2 years. As of January 2011, we\n        found that the SFPD Laboratory had external QAS reviews\n        performed in November 2009 and April 2010, and an internal QAS\n        review in December 2010.\n\n     \xe2\x80\xa2\t We reviewed the prior 2 years of QAS review reports for the SFPD\n        Laboratory. Both the internal and external reviews were conducted\n        using the FBI\xe2\x80\x99s QAS Review Document. The FBI confirmed that at\n        least one of the QAS reviewers for both reviews had successfully\n        completed the FBI QAS Review training course.\n\n        o\t The two external reviews we examined identified four findings,\n           two of which were overturned by the NDIS Audit Review Panel.\n           The remaining two findings reported that: (1) the SFPD\n           Laboratory failed to provide its preceding review report to the\n           FBI within the required 30 days; and (2) the SFPD Laboratory\n           uploaded different alleles than those listed by the DNA analyst\n           on the CODIS upload form without concurrence of the DNA\n           analyst. We reviewed the SFPD Laboratory\xe2\x80\x99s corrective actions\n           and determined that it had taken appropriate action to remedy\n           these errors including the establishment of a new policy within\n           its DNA Quality Assurance Manual to provide external audit\n           documentation and laboratory responses to the FBI within 30\n           days of receiving the audit documentation or report. In addition,\n           the SFPD Laboratory clarified its procedure to verify criteria for\n           DNA profiles through two concordant assessments that are to be\n           prepared by qualified analysts or technical reviewers.\n\n        o\t The internal QAS review did not identify any findings of non\xc2\xad\n           compliance.\n\n     \xe2\x80\xa2\t We asked each of the QAS reviewers who conducted the most\n        recent external QAS reviews to certify that they had no\n        impairments to independence. All QAS reviewers provided us with\n        this certification.\n\n\n\n                                  - 14 \xc2\xad\n\x0c\xe2\x80\xa2\t We reviewed the SFPD Laboratory\xe2\x80\x99s policies on physical security of\n   the facility as well as the access key card assignments for the\n   secured areas of the Laboratory. We also toured the SFPD\n   Laboratory and observed that the facility remains locked and closed\n   to the public at all times; authorized SFPD Laboratory personnel\n   enter using a key or numerical touch pad. We observed that the\n   facility is protected during after-hours by motion detectors and an\n   alarm system. While we noted internal security concerns pertaining\n   to the DNA Analysis Unit that are mentioned above, we found that\n   overall external security at the SFPD Laboratory is adequate and in\n   compliance with the QAS requirements we tested.\n\n\xe2\x80\xa2\t The QAS requires laboratories to perform evidence examination,\n   DNA extraction, and polymerase chain reaction (PCR) setup\n   processes at separate times or in separated spaces. We reviewed\n   the policies and procedures that the SFPD Laboratory implements\n   regarding the separation of known and unknown DNA samples in\n   accordance with the QAS requirements. According to the SFPD\n   Laboratory\xe2\x80\x99s Quality Control Manual standard, evidence samples\n   should be separated by time or space. We did not identify any\n   material deficiencies with regard to the SFPD Laboratory\xe2\x80\x99s\n   separation of known and unknown DNA samples, which are\n   processed at separate times.\n\n\xe2\x80\xa2\t The integrity of physical evidence is maintained by the Laboratory\n   in accordance with the QAS requirements that we tested. Sample\n   evidence is placed in containers that are labeled with the SFPD\n   Laboratory\xe2\x80\x99s incident number and the SFPD Property Record Item\n   number. Each DNA Analyst who takes custody of the evidence will\n   mark the outer container with their initials and date. Specifically,\n   we reviewed the SFPD Laboratory\xe2\x80\x99s policy for retaining samples and\n   found that the SFPD Laboratory retains sample extracts indefinitely\n   and stores these sample extracts in the DNA Analysis Unit. In the\n   DNA Analysis Unit, we observed that sample extracts are\n   maintained in refrigerators unlocked during business hours and\n   locked after-hours. SFPD Laboratory officials confirmed this\n   practice. The extracts and evidence samples are formally\n   transferred from the DNA Analysis Unit and held long-term in the\n   SFPD\xe2\x80\x99s Property Control Division. We viewed evidence of transfer\n   paperwork and Property Control Division evidence control and\n   release policies and determined that they were clear, detailed, and\n   adequate to ensure evidence is properly handled and transferred to\n   the Property Control Division.\n\n\n\n                             - 15 \xc2\xad\n\x0c       \xe2\x80\xa2\t We found that since July 2010, the SFPD Laboratory has contracted\n          with a vendor laboratory, Serological Research Institute, to\n          outsource some of its forensic analysis work. We reviewed the\n          Serological Research Institute\xe2\x80\x99s most recent accreditation obtained\n          in December 2009, its QAS audit documentation from September\n          2009, and the contract that the SFPD Laboratory holds with the\n          Serological Research Institute. Between July 2010 and April 2011,\n          the SFPD Laboratory outsourced approximately 250 cases. 12\n          During our site visit, we learned that in December 2010, the SFPD\n          Laboratory had temporarily stopped outsourcing samples to the\n          Serological Research Institute because of possible contamination\n          issues identified by the SFPD Laboratory. However, after reviewing\n          the results from a contamination study completed in January 2011\n          the Laboratory has since resumed outsourcing casework to the\n          Serological Research Institute.\n\n       \xe2\x80\xa2\t We reviewed the SFPD Laboratory\xe2\x80\x99s procedures for verifying vendor\n          casework and found that a technical review is performed and\n          documented for all outsourced samples eligible for upload into\n          CODIS. The SFPD Laboratory\xe2\x80\x99s technical review procedure for\n          vendor casework is identical to that of in-house casework and is in\n          accordance with the QAS requirements. 13 As of March 2011, all\n          cases outsourced to the Serological Research Institute that were\n          deemed eligible for CODIS upload by the vendor laboratory had\n          successfully passed the SFPD Laboratory\xe2\x80\x99s technical review process.\n\n       \xe2\x80\xa2\t We reviewed the documentation of SFPD Laboratory\xe2\x80\x99s site visit to\n          Serological Research Institute and verified that the Laboratory\n          conducted a site visit of the facility in July 2010, prior to entering\n          into a contract with the Serological Research Institute. During that\n          site visit, the SFPD Laboratory found no issues with the Serological\n          Research Institute\xe2\x80\x99s operations.\n\n\n\n\n       12\n            As of April 2011, the SFPD had uploaded 21 outsourced cases into NDIS.\n       13\n           FBI QAS 17.5.1 states that technical review shall include the following elements:\n(1) a review of all DNA types to verify that they are supported by the raw or analyzed data\n(electropherograms or images); (2) a review of all associated controls, internal lane\nstandards, and allelic ladders to verify that the expected results were obtained; (3) a review\nof the final report (if provided by vendor laboratory) to verify that the results and\nconclusions are supported by the data; and (4) verification of the DNA types, eligibility, and\nthe correct specimen category for entry into CODIS.\n\n\n                                           - 16 \xc2\xad\n\x0cConclusion\n\n       We found that the SFPD Laboratory complied with the FBI\xe2\x80\x99s Forensic\nQAS that we tested, with one exception. During our visit to the Laboratory,\nwe observed multiple sets of doors propped open that led from the main\nlobby, through an unlocked corridor, and ultimately to the DNA Analysis\nUnit. Based on this observation, the SFPD Laboratory did not fully comply\nwith FBI\xe2\x80\x99s Forensic QAS that requires access to the laboratory to be\ncontrolled and limited. Although the SFPD Laboratory has a policy in place\nregarding physical security controls for limiting unauthorized access into the\nunit, the SFPD Laboratory needs to strengthen its adherence to that policy\nand ensure it is consistently followed by all staff so that access to the DNA\nAnalysis Unit remains secure and limited to SFPD Laboratory personnel who\nare authorized to have access to that unit.\n\nRecommendation\n\n      We recommend that the FBI:\n\n      2.\t Work with the SFPD Laboratory to enhance its security procedures\n          for preventing access to the DNA Laboratory by unauthorized\n          personnel.\n\n\n\n\n                                    - 17 \xc2\xad\n\x0c       III. Suitability of Forensic DNA Profiles in CODIS Databases\n\n                We found that 7 of the 100 profiles we reviewed did\n                not meet NDIS or SFPD Laboratory\xe2\x80\x99s suitability\n                standards. The SFPD Laboratory removed all seven\n                profiles from NDIS. Specifically, we found: (1) two\n                profiles violated the 4x4 rule; (2) three profiles were\n                obtained from the suspect\xe2\x80\x99s person or residence,\n                (3) one profile was developed from evidence not\n                connected to a crime; and (4) one profile did not\n                meet the SFPD Laboratory\xe2\x80\x99s own minimum\n                requirement of seven core loci for uploading to\n                CODIS. 14\n\n       We reviewed a sample of the SFPD Laboratory\xe2\x80\x99s forensic DNA profiles\nto determine whether each profile was complete, accurate, and allowable for\ninclusion in NDIS. 15 To test the completeness and accuracy of each profile,\nwe established standards that require a profile include all the loci for which\nthe analyst obtained results, and that the values at each locus match those\nidentified during analysis. 16 Our standards are described in more detail in\nAppendix II of this report.\n\n       The FBI\xe2\x80\x99s NDIS operational procedures establish the DNA data\nacceptance standards by which laboratories must abide. The FBI also\ndeveloped a flowchart as guidance for the laboratories for determining what\nis allowable in the forensic index at NDIS. Laboratories are prohibited from\nuploading forensic profiles to NDIS that clearly match the DNA profile of the\nvictim or another known person that is not a suspect. A profile at NDIS that\nmatches a suspect may be allowable if the contributor is unknown at the\ntime of collection, however, NDIS guidelines prohibit profiles that match a\nsuspect if that profile could reasonably have been expected to be on an item\nat the crime scene or part of the crime scene independent of the crime. For\ninstance, a profile from an item seized from the suspect\xe2\x80\x99s person, such as a\nshirt, or that was in the possession of the suspect when collected is\n\n\n       14\n           The \xe2\x80\x9c4x4 rule\xe2\x80\x9d, published by the FBI in September 2003, is a reference to Section\n6.4.6 of the NDIS DNA Data Acceptance Standards, which states that forensic mixture DNA\nprofiles submitted to NDIS may have up to 4 alleles at a maximum of 4 core loci, provided\nthat the remaining 9 core loci have no more than 2 alleles at each locus.\n       15\n           When a laboratory\xe2\x80\x99s universe of DNA profiles in NDIS exceeds 1,500, our sample\nis taken from SDIS rather than directly from NDIS. See Appendix I for further description of\nthe sample selection.\n       16\n            A \xe2\x80\x9clocus\xe2\x80\x9d is a specific location on a chromosome. The plural form of locus is loci.\n\n\n                                             - 18 \xc2\xad\n\x0cgenerally not a forensic unknown and would not be allowable for upload to\nNDIS. The NDIS procedures we reviewed are listed in Appendix II of this\nreport.\n\nResults of the OIG Audit\n\n      We selected a sample of 100 profiles out of the 935 forensic profiles\nthat the SFPD Laboratory had uploaded into NDIS as of December 22, 2010.\nOf the 100 forensic profiles sampled, we found that 7 profiles were\nunallowable for upload to NDIS. The remaining profiles sampled were\ncomplete, accurate, and allowable for inclusion in NDIS. The specific\nexceptions are explained in more detail below.\n\nProfile Allowability\n\n      Based on our review, we found 7 of the 100 profiles in our sample did\nnot meet NDIS requirements and were unallowable for upload into the NDIS\ndatabase. The remaining 93 profiles were complete, accurate, and allowable\nfor NDIS upload. Our review examined each profile in the sample to\ndetermine its suitability based on NDIS guidelines such as: (1) whether a\ncrime was committed; (2) whether the profile was obtained from the crime\nscene; and (3) whether the profile was attributable to a putative\nperpetrator.\n\n       Specifically, we identified the following seven profiles not suitable for\nCODIS: (1) two profiles were not allowable for upload because they violated\nthe 4x4 rule; (2) three profiles were not allowable because they were\nobtained from the suspect\xe2\x80\x99s person or residence; (3) one profile was\nobtained from an item that was not connected to a crime; and (4) one\nprofile did not meet the Laboratory\xe2\x80\x99s minimum requirement of seven core\nloci for upload to CODIS. The results of our review are further explained\nbelow:\n\nOIG Sample Number CA-20\n\n     Sample CA-20 was taken from the suspect\xe2\x80\x99s clothing. This clothing\nwas retrieved from the suspect 1 week after the homicide was committed.\nWe deemed this profile to be unallowable because it is considered a deduced\nsuspect profile rather than a forensic unknown profile, and it was not\n\n\n\n\n                                    - 19 \xc2\xad\n\x0cretrieved from the crime scene. 17 We presented this to the SFPD Laboratory\nCODIS Administrator, who agreed that this profile was unallowable and\nremoved it from CODIS.\n\nOIG Sample Number CA-37\n\n      Sample CA-37 was taken from a swab of a gun grip retrieved during a\npolice chase of the suspects. There were six core loci uploaded into CODIS\nbecause according to the case file documentation, alleles at three core loci\ncould not be detected. We presented this to the CODIS Administrator, who\nstated that there was not enough DNA to test 13 core loci. The SFPD\nLaboratory\xe2\x80\x99s requirement is to test the profile on at least nine core loci and\nupload a minimum of seven to SDIS; therefore, the SFPD Laboratory did not\nadhere to its own minimum loci requirement when it uploaded this case.\nThe CODIS Administrator determined that the profile was not suitable and\nremoved it from CODIS.\n\nOIG Sample Number CA-44\n\n       Sample CA-44 was taken from a cigarette butt found in a trash can in\nconnection with a death investigation. However, the information in the case\nfile was not sufficient to connect the cigarette butt to a putative perpetrator.\nIn addition, as of January 2011, the cause of the victim\xe2\x80\x99s death was listed as\nundetermined and could not definitively be ruled as a homicide, even though\nthe case file stated there were suspicious circumstances surrounding the\nvictim\xe2\x80\x99s death. As a result, we determined that this profile was unallowable.\nWe presented this to the CODIS Administrator who agreed with our\ndeterminations and removed the profile from CODIS.\n\nOIG Sample Number CA-45\n\n      Sample CA-45 was taken from a stain on bedding in a room where a\nrape had occurred. The victim was raped by five males at the apartment\nwhere several of the suspects resided. We deemed this profile to be\nunallowable because the suspects of the crime also resided at the\napartment, and we could not be sure that this particular forensic mixture\nwas attributed to the crime. We reviewed the DNA analysis results for the\nnon-sperm fraction of the mixture and found that it did not match the\nvictim\'s standard; therefore, it appeared that this stain may have come from\nan unrelated sexual act that did not involve the victim. We presented this to\n\n      17\n          FBI introduced guidance to exclude deduced suspect profiles from NDIS in 2006.\nTo be classified as a forensic unknown record, the DNA sample must be attributed to the\nputative perpetrator. Items taken directly from the suspect are considered deduced suspect\nsamples, not forensic unknowns, and are not eligible for upload to NDIS.\n\n\n                                         - 20 \xc2\xad\n\x0cthe CODIS Administrator, who agreed that this profile was unallowable and\nremoved it from CODIS.\n\nOIG Sample Number CA-50\n\n      Sample CA-50 was taken from a condom found in the male victim\'s\napartment where a rape occurred. We determined that the sample was\nunallowable because it violated the FBI\xe2\x80\x99s 4x4 rule and was uploaded to\nCODIS in February 2005, after the 4x4 rule was established. The profile\npresented three alleles at six loci and two alleles at each of the remaining\nthree loci. We presented this to the CODIS Administrator, who agreed that\nthe profile was unallowable and removed it from CODIS.\n\nOIG Sample Number CA-74\n\n      We determined that sample CA-74 was unallowable because it violated\nthe FBI\xe2\x80\x99s 4x4 rule and was uploaded to CODIS in September 2004, after the\n4x4 rule was established. The profile was a mixture of two suspects and\npresented four alleles at four core loci and three alleles at each of the\nremaining six core loci. We presented this to the CODIS Administrator, who\nagreed that the profile was unallowable and removed it from CODIS.\n\nOIG Sample Number CA-96\n\n       Sample CA-96 was taken from a genital swab of the suspect. We\ndeemed this profile to be unallowable because it is not a forensic unknown\nprofile, but rather a deduced suspect profile. We presented this to the\nCODIS Administrator, who agreed that the profile was unallowable and\nremoved it from CODIS.\n\nOther Matters\n\n       As a result of our audit, we found that the SFPD Laboratory does not\nalways attempt to obtain results for all 13 core loci. Specifically, for 55 of\nthe 100 profiles we reviewed, the Laboratory analyzed the profile using the\nProfiler Plus\xc2\xae PCR Amplification Kit, which produces results for only 9 of the\n13 core loci. 18 NDIS guidelines for CODIS index search parameters set the\nminimum number of loci required to report a match at 10 core loci, which\nessentially precludes profiles with less than 10 core loci from being searched\nat NDIS and providing investigative leads to other states.\n\n\n       18\n           Of the 55 total profiles that were analyzed on Profiler Plus and produced results at\n9 core loci, we determined 6 profiles to be unallowable during the course of our review.\n\n\n                                           - 21 \xc2\xad\n\x0c      When we inquired about this issue, the CODIS Administrator stated\nthat the Profiler Plus\xc2\xae PCR Amplification Kit was attempted only when one of\nthe following situations arose:\n\n       1.\t there was insufficient DNA to conduct the testing on all 13 core\n           loci;\n\n       2.\t analysis was performed prior to December 2002 when the SFPD\n           Laboratory validated the COfiler\xc2\xae PCR Amplification kit, which\n           provides results for the remaining 4 core loci;\n\n       3.\t the DNA analyst was presented by the investigator with a\n           potential match for the forensic profile to a suspect; or\n\n       4.\t the case was determined to be solved.\n\n       We agree with the SFPD Laboratory that COfiler\xc2\xae could not be utilized\nbefore it was validated or if there was insufficient DNA to test on all 13 loci.\nHowever, we do not believe that the SFPD Laboratory\xe2\x80\x99s last two reasons\nlisted above should preclude profiles from being searched at NDIS. We\ndetermined that 19 of the 55 profiles could have been tested on all 13 core\nloci because the DNA analysis took place after December 2002, when\nCOfiler\xc2\xae was instituted at the SFPD Laboratory, and there was sufficient DNA\n                         19\nto test on 13 core loci.\n\n       Our concern is that by purposefully analyzing and uploading to NDIS\nforensic profiles that were analyzed on only 9 core loci when there was the\npossibility to analyze profiles on 13 core loci, the SFPD Laboratory was\nprecluding other laboratories in other states from being able to search SFPD\nLaboratory\xe2\x80\x99s forensic profiles for possible matches. Therefore, we believe\nthat the SFPD Laboratory was not fully participating in NDIS, as it was not\nfully adhering to the NDIS DNA Data Acceptance Standards, which require\nthat analysis on all 13 core loci be attempted for forensic unknown profiles.\nWe asked the CODIS Administrator about this issue and she stated that\n2 years ago, the SFPD Laboratory had begun efforts to perform additional\ntesting on samples that had only been tested on 9 core loci using Profiler\nPlus. However, 2 months after the effort began, the Criminalist assigned to\nthis project resigned and the project was stalled. The CODIS Administrator\nstated that this project will be restarted and the SFPD Laboratory plans to\nconduct testing using COfiler\xc2\xae for those samples that had previously been\nanalyzed only on nine core loci in order to obtain results for the additional\n\n       19\n         This total of 19 profiles does not include the 6 profiles that we determined to be\nunallowable during the course of our review.\n\n\n                                           - 22 \xc2\xad\n\x0cfour core loci and upload complete profiles into NDIS. As of July 2011, the\nCODIS Administrator could not provide a definite date for when the project\nwill be restarted, but instead gave an estimated timeframe of 6 to 12\nmonths from July 2011, which includes the time it will take to acquire and\ntrain new personnel.\n\nConclusion\n\n      Based on our testing of 100 sample forensic profiles that the SFPD\nLaboratory uploaded to NDIS, we found 93 profiles were complete, accurate,\nand allowable for inclusion in NDIS. However, we also identified seven\nforensic profiles that were not suitable for upload to NDIS. The SFPD\nLaboratory took corrective action on all seven profiles and removed them\nfrom NDIS. We make no recommendations concerning the suitability of\nSFPD Laboratory\xe2\x80\x99s forensic DNA profiles that are in CODIS.\n\n\n\n\n                                   - 23 \xc2\xad\n\x0c                                                                         APPENDIX I\n\n              OBJECTIVES, SCOPE, AND METHODOLOGY\n\n      We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n      Our audit generally covered the period from January 2009 through\nDecember 2010. The objectives of the audit were to determine if the:\n(1) SFPD Laboratory was in compliance with the NDIS participation\nrequirements; (2) SFPD Laboratory was in compliance with the QAS issued\nby the FBI; and (3) SFPD Laboratory\xe2\x80\x99s forensic DNA profiles in CODIS\ndatabases were complete, accurate, and allowable for inclusion in NDIS. To\naccomplish the objectives of the audit, we:\n\n       \xe2\x80\xa2\t Examined internal and external SFPD Laboratory QAS review reports\n          and supporting documentation for corrective action taken, if any, to\n          determine whether: (a) the SFPD Laboratory complied with the QAS,\n          (b) repeat findings were identified, and (c) recommendations were\n          adequately resolved.20\n\n            In accordance with the QAS, the internal and external laboratory\n            review procedures are to address, at a minimum, a laboratory\xe2\x80\x99s\n            quality assurance program, organization and management, personnel\n            qualifications, facilities, evidence control, validation of methods and\n            procedures, analytical procedures, calibration and maintenance of\n            instruments and equipment, proficiency testing of analysts, corrective\n            action for discrepancies and errors, review of case files, reports,\n            safety, and previous audits. The QAS require that internal and\n            external reviews be performed by personnel who have successfully\n            completed the FBI\xe2\x80\x99s training course for conducting such reviews.\n\n\n       20\n           The QAS requires that laboratories undergo annual audits, which every other year\nmust be performed by an external agency that performs DNA identification analysis and is\nindependent of the laboratory being reviewed. The QAS does not require these audits to be\nperformed in accordance with the Government Auditing Standards (GAS) and they are not\nperformed by the Department of Justice Office of the Inspector General. Therefore, we\nrefer to the QAS audits as either internal or external laboratory reviews, as applicable, to\navoid confusion with our audits that are conducted in accordance with GAS.\n\n\n                                          - 24 \xc2\xad\n\x0c            As permitted by GAS 7.42 (2007 revision), we generally relied on\n            the results of the SFPD Laboratory\xe2\x80\x99s external laboratory review to\n            determine if the SFPD Laboratory complied with the QAS. 21 In\n            order to rely on the work of non-auditors, GAS requires that we\n            perform procedures to obtain sufficient evidence that the work can\n            be relied upon. Therefore, we: (1) obtained evidence concerning\n            the qualifications and independence of the individuals who\n            conducted the review and (2) determined that the scope, quality,\n            and timing of the audit work performed was adequate for reliance in\n            the context of the current audit objectives by reviewing the\n            evaluation procedure guide and resultant findings to understand the\n            methods and significant assumptions used by the individuals\n            conducting the reviews. Based on this work, we determined that\n            we could rely on the results of the SFPD Laboratory\xe2\x80\x99s external\n            laboratory review.\n\n       \xe2\x80\xa2\t Interviewed SFPD Laboratory officials to identify management\n          controls, SFPD Laboratory operational policies and procedures, SFPD\n          Laboratory certifications or accreditations, and analytical information\n          related to DNA profiles.\n\n       \xe2\x80\xa2\t Toured the SFPD Laboratory to observe facility security measures as\n          well as the procedures and controls related to the receipt, processing,\n          analyzing, and storage of forensic evidence and convicted offender\n          DNA samples.\n\n       \xe2\x80\xa2\t Reviewed the SFPD Laboratory\xe2\x80\x99s written policies and procedures\n          related to conducting internal reviews, resolving review findings,\n          expunging DNA profiles from NDIS, and resolving matches among\n          DNA profiles in NDIS.\n\n       \xe2\x80\xa2\t Reviewed supporting documentation for five matches to determine\n          whether they were resolved in a timely manner. The SFPD\n          Laboratory provided the universe of 23 matches as of January 10,\n          2011. The sample was judgmentally selected to include both case-\n          to-case and case-to-offender matches. This non-statistical sample\n          does not allow projection of the test results to all matches.\n\n\n\n       21\n           We also considered the results of the SFPD Laboratory\xe2\x80\x99s internal laboratory\nreview, but could not rely on it because it was not performed by personnel independent of\nthe SFPD Laboratory. Further, as noted in Appendix II, we performed audit testing to verify\nSFPD Laboratory\xe2\x80\x99s compliance with specific QAS that have a substantial effect on the\nintegrity of the DNA profiles uploaded to NDIS.\n\n\n                                          - 25 \xc2\xad\n\x0c      \xe2\x80\xa2\t Reviewed supporting documentation to determine whether the SFPD\n         Laboratory provided adequate vendor oversight.\n\n      \xe2\x80\xa2\t Reviewed the case files for selected forensic DNA profiles to\n         determine if the profiles were developed in accordance with the\n         Forensic QAS and were complete, accurate, and allowable for\n         inclusion in NDIS.\n\n         Working in conjunction with the contractor used by the FBI to\n         maintain NDIS and the CODIS software, we obtained an electronic\n         file identifying the 935 STR forensic profiles the SFPD Laboratory\n         had uploaded to NDIS as of December 22, 2010. We limited our\n         review to a sample of 100 profiles. This sample size was determined\n         judgmentally because preliminary audit work determined that risk\n         was not unacceptably high.\n\n      \xe2\x80\xa2\t Using the judgmentally-determined sample size, we randomly\n         selected a representative sample of labels associated with specific\n         profiles in our universe to reduce the effect of any patterns in the list\n         of profiles provided to us. However, since the sample size was\n         judgmentally determined, the results obtained from testing this\n         limited sample of profiles may not be projected to the universe of\n         profiles from which the sample was selected.\n\n      The objectives of our audit concerned the SFPD Laboratory\'s\ncompliance with required standards and the related internal controls.\nAccordingly, we did not attach a separate statement on compliance with laws\nand regulations or a statement on internal controls to this report. See\nAppendix II for detailed information on our audit criteria.\n\n       After we issued our draft report to the FBI and the SFPD Laboratory,\nwe learned from local news reports that the SFPD had recently conducted an\ninternal investigation of its CODIS Administrator. In addition, the same local\nmedia reports also stated that the San Francisco District Attorney\xe2\x80\x99s Office\nhad provided in writing to the SFPD its concerns related to the SFPD\xe2\x80\x99s DNA\nLaboratory. The SFPD did not inform us of these two matters during our\nfieldwork. Therefore, upon learning of these issues, we requested that the\nSFPD provide the following for our review: (1) the results of its internal\ninvestigation pertaining to its CODIS Administrator, and (2) the San\nFrancisco District Attorney\xe2\x80\x99s Office written concerns with the SFPD\xe2\x80\x99s DNA\nLaboratory. Based on our review of these matters, we made no changes to\nthe findings in our audit report.\n\n\n\n\n                                     - 26 \xc2\xad\n\x0c                                                                       APPENDIX II\n\n                                AUDIT CRITERIA\n\n      In conducting our audit, we considered the NDIS participation\nrequirements and the QAS. However, we did not test for compliance with\nelements that were not applicable to the SFPD Laboratory. In addition, we\nestablished standards to test the completeness and accuracy of DNA profiles\nas well as the timely notification of DNA profile matches to law enforcement.\n\nNDIS Participation Requirements\n\n       The NDIS participation requirements, which consist of the\nMemorandum of Understanding (MOU) and the NDIS operational procedures,\nestablish the responsibilities and obligations of laboratories that participate\nin NDIS. The MOU requires that NDIS participants comply with federal\nlegislation and the QAS, as well as NDIS-specific requirements\naccompanying the MOU in the form of appendices. We focused our audit on\nspecific sections of the following NDIS requirements.\n\n       \xe2\x80\xa2\t   DNA Data Acceptance Standards\n       \xe2\x80\xa2\t   DNA Data Accepted at NDIS\n       \xe2\x80\xa2\t   QAS Reviews\n       \xe2\x80\xa2\t   NDIS DNA Autosearches\n       \xe2\x80\xa2\t   Confirm an Interstate Candidate Match\n       \xe2\x80\xa2\t   General Responsibilities\n       \xe2\x80\xa2\t   Initiate and Maintain a Laboratory\xe2\x80\x99s Participation in NDIS\n       \xe2\x80\xa2\t   Security Requirements\n       \xe2\x80\xa2\t   CODIS Users\n       \xe2\x80\xa2\t   CODIS Administrator Responsibilities\n       \xe2\x80\xa2\t   Access to, and Disclosure of, DNA Records and Samples\n       \xe2\x80\xa2\t   Upload of DNA Records\n       \xe2\x80\xa2\t   Expunge a DNA Record\n       \xe2\x80\xa2\t   The FBI Flowchart: A Guide to Determining What is Allowable in\n            the Forensic Index at NDIS 22\n\n\n\n\n       22\n          The FBI Flowchart is guidance issued to NDIS-participating laboratories separate\nfrom the MOU and NDIS operational procedures. The flowchart is contained in the 2010\nCODIS Administrator\xe2\x80\x99s Handbook and has been provided to laboratories in referendums\nsuch as CODIS conferences.\n\n\n                                          - 27 \xc2\xad\n\x0cQuality Assurance Standards\n\n      The FBI issued two sets of QAS: QAS for Forensic DNA Testing\nLaboratories, effective July 1, 2009, (Forensic QAS); and QAS for DNA\nDatabasing Laboratories, effective July 1, 2009, (Offender QAS). The\nForensic QAS and the Offender QAS describe the quality assurance\nrequirements that the Laboratory should follow to ensure the quality and\nintegrity of the data it produces.\n\n       For our audit, we generally relied on the reported results of the\nLaboratory\xe2\x80\x99s most recent annual external review to determine if the\nLaboratory was in compliance with the QAS. Additionally, we performed\naudit work to verify that the Laboratory was in compliance with the QAS\nlisted below because they have a substantial effect on the integrity of the\nDNA profiles uploaded to NDIS.\n\n      \xe2\x80\xa2\t Facilities (Forensic QAS and Offender QAS 6.1): The laboratory shall\n         have a facility that is designed to ensure the integrity of the\n         analyses and the evidence.\n\n      \xe2\x80\xa2\t Evidence Control (Forensic QAS 7.1): The laboratory shall have and\n         follow a documented evidence control system to ensure the integrity\n         of physical evidence. Where possible, the laboratory shall retain or\n         return a portion of the evidence sample or extract.\n\n      \xe2\x80\xa2\t Sample Control (Offender QAS 7.1): The laboratory shall have and\n         follow a documented sample inventory control system to ensure the\n         integrity of database and known samples.\n\n      \xe2\x80\xa2\t Analytical Procedures (Forensic QAS and Offender QAS 9.5): The\n         laboratory shall monitor the analytical procedures using [appropriate]\n         controls and standards.\n\n      \xe2\x80\xa2\t Review (Forensic QAS 12.1): The laboratory shall conduct\n         administrative and technical reviews of all case files and reports to\n         ensure conclusions and supporting data are reasonable and within\n         the constraints of scientific knowledge.\n\n         (Offender QAS Standard 12.1): The laboratory shall have and follow\n         written procedures for reviewing DNA records and DNA database\n         information, including the resolution of database matches.\n\n\n\n\n                                     - 28 \xc2\xad\n\x0c     \xe2\x80\xa2\t [Reviews] (Forensic QAS and Offender QAS 15.1 and 15.2): The\n        laboratory shall be audited annually in accordance with [the QAS].\n        The annual audits shall occur every calendar year and shall be at\n        least 6 months and no more than 18 months apart. At least once\n        every 2 years, an external audit shall be conducted by an audit team\n        comprised of qualified auditors from a second agency(ies) and having\n        at least one team member who is or has been previously qualified in\n        the laboratory\xe2\x80\x99s current DNA technologies and platform.\n\n     \xe2\x80\xa2\t Outsourcing (Forensic QAS and Offender QAS Standard 17.1): A\n        vendor laboratory performing forensic and database DNA analysis\n        shall comply with these Standards and the accreditation requirements\n        of federal law.\n\n        Forensic QAS 17.4: An NDIS participating laboratory shall have and\n        follow a procedure to verify the integrity of the DNA data received\n        through the performance of the technical review of DNA data from a\n        vendor laboratory.\n\n        Offender QAS Standard 17.4: An NDIS participating laboratory shall\n        have, follow and document appropriate quality assurance procedures\n        to verify the integrity of the data received from the vendor laboratory\n        including, but not limited to, the following: Random reanalysis of\n        database, known or casework reference samples; Inclusion of QC\n        samples; Performance of an on-site visit by an NDIS participating\n        laboratory or multi-laboratory system outsourcing DNA sample(s) to\n        a vendor laboratory or accepting ownership of DNA data from a\n        vendor laboratory.\n\nOffice of the Inspector General Standards\n\n       We established standards to test the completeness and accuracy of\nDNA profiles as well as the timely notification of law enforcement when DNA\nprofile matches occur in NDIS. Our standards are listed below.\n\n     \xe2\x80\xa2\t Completeness of DNA Profiles: A profile must include each value\n        returned at each locus for which the analyst obtained results. Our\n        rationale for this standard is that the probability of a false match\n        among DNA profiles is reduced as the number of loci included in a\n        profile increases. A false match would require the unnecessary use\n        of laboratory resources to refute the match.\n\n     \xe2\x80\xa2\t Accuracy of DNA Profiles: The values at each locus of a profile\n        must match those identified during analysis. Our rationale for this\n\n\n                                   - 29 \xc2\xad\n\x0c  standard is that inaccurate profiles may: (1) preclude DNA profiles\n  from being matched and, therefore, the potential to link convicted\n  offenders to a crime or to link previously unrelated crimes to each\n  other may be lost; or (2) result in a false match that would require\n  the unnecessary use of laboratory resources to refute the match.\n\n\xe2\x80\xa2\t Timely Notification of Law Enforcement When DNA Profile Matches\n   Occur in NDIS: Laboratories should notify law enforcement\n   personnel of NDIS matches within 2 weeks of the match\n   confirmation date, unless there are extenuating circumstances. Our\n   rationale for this standard is that untimely notification of law\n   enforcement personnel may result in the suspected perpetrator\n   committing additional, and possibly more egregious, crimes if the\n   individual is not deceased or already incarcerated for the\n   commission of other crimes.\n\n\n\n\n                            - 30 \xc2\xad\n\x0c                                                                                                  APPENDIX III\n\n\n                               AUDITEE RESPONSE\n\n\n\n\n                                         _ .-\n                                           _IIU\'AA,"\'"\n                                          ----,\n                                    ..... ,.\n                                             .. _-."" .......\n                          CITY ANO COUNTY OF SAN FRANCISCO\n\n                                                      .....-\n                                                                                                  \xe2\x80\xa2\n                                                                                                  _.-\n~16.:O11\n\n\n\n\n\')ovid J . 0...:111:.\nR ~ A . ..;,~\nSon F....ru.:..   R<P<-I AudiT omo.\nOff.,. or .... Inspo<iOI !\'.lonoonI\n\\)$. D..  _ o.c.\'of",;o.\n1200  110)"""I),h \xe2\x80\xa2\xe2\x80\xa2 s..;10201\nSao IItuno, CA _\n\n\n\n no. orr..,. of_          1_\n                      (IcncrwI ........                       MI.".__\n                                                     ofllo<lo-...,.,.. .."*>I ..\n_ _ of .... ~ ..... \xc2\xb7.DSA U...... - . . _ .. IcII .... COOIS_ Tho\n..,... -.rocd.-,,_.".... : . ...\n    Ttotl!no "         \xe2\x80\xa2 \xe2\x80\xa2\' 1 o _ ... COOIS_beL... pooc._              I I00I10)<\n.... Crinoo Ia. no. - - . _ \xe2\x80\xa2\xe2\x80\xa2 ~ J-t.I_"\'SI\'\'\'/J\' \xe2\x80\xa2 _)l.JiJ_""""""\n____\nNnlSpo\n                        .,..DIS~\n\n                I .. _ _ ... NPIlI"","_\n                                                ...........\n""\' , .... 11//1; CfJOIS_ .....Nlb" ...... _JW _ _ ,., IIoo:d_ .. _<#-\n                                             t I _ ,. _ . - . w y _.\xc2\xb7 Ttot\n                                       .d \xe2\x80\xa2 .. 11 _ . _ 1 " , . ; ,,.. ...\n_      I"" _ _ nor SfI\'lJ                      .,......,.1)0;, _. _ _ _\n.............. """".ofohrirCOOlS_ ..... _ _ ....... ..-. .... _\n                                                                 .,.!lcd\n                                ~\n                                     _\n5)        .."""-boo: _       12. II> beL ....... CQDI5 _ . . .     ___\n\'\'\'\'\'\'_Tholooo<t... _ " , . . . , . " , _ .. , , _\n TtotNOIS ,"oc I .. _ _ ...\n_ _ ThoCOOlS _ ... _\n                                                   _-.i00i10 .. ___ .... __ ,...\n                       ....... " , _ \xe2\x80\xa2\xe2\x80\xa2 _pIoyoicoI _ _ _\n"",N!>IS ~ l ... _ \xe2\x80\xa2 . \' .Sf", r_DGovtloil_ .. IOOGB.\n_,...,...... ___ .... 1.*00_, ..... _,..-_\nIl/\' llO3 U,,"_ ...... _ _ 0", .. Ioo<k ....... _ Il00. _.," .. _ \xe2\x80\xa2\xe2\x80\xa2\n\n~             ... ... q   ..... _        \xe2\x80\xa2 \xe2\x80\xa2 SO~_ , _"Cr .                 _   ........ _\n... . ,. OIO.qoaotorty-. ....... o f _ ) AIlDSA""", ... ,1                 COOIS     t   \xe2\x80\xa2   ..\n\n\xe2\x80\xa2 Tho 10<&1 ....... 1ft .... . _....,. _ ..... _ ....... l100 COlliS I . I _ will\n............. canrid&eo ... _            ..... _        . otT................ oo._h". .......\n  l1oo_ ,.-.",*.......... ...- ..          cnm. ..... 0<WriIy_ The ""\';"\'"\n_ . \'~Iy. ... ~ _ rlw !JJ\'r/J ~.JiJ _ ........ *> ,.. F""",it\'\nQA!J,\'" ....,................... ,.. ~ ... ". -.olW _ _                           "\'d_\'"\n\n\n\n\n                                                     - 31 - \n\n\x0cprevent access hy unauthorized personnel. " During the audit, the HV AC system\nexperienced a malfunction in the Fireanns Unit which resulted in an inordinate and\nconstant supply of hot air channeled into tbe office space. In order to safeguard\ninstrumentation and evidence that may have been damaged by the extreme temperamre,\nunit superv isor John Sanchez opened the unit \'s two internal doors to allow the heat to\nvent out. This also all eviated the intolerable conditions for unit members allowi ng work\nto continue. Sanchez contacted the building engi neer who responded and repaired the\nmalfunctioning equipmen t.\n\n    During thi s event, all members of the Firearms Uni t were present and conducting case\nwork. The group included two sworn members of the Sf PD. Sanchez and the members of\nthe Fireanns Unit remained in the unit for the duration of thi s incident. Security of the\nFirearms and DNA Units was never com promised or breeched. All interior and exterior\nentrance/exit points remained operational and protected by security measures. No other\nindividuals, other than those identified here~ entered the unit.\n\n    Secondly, the DIG auditors expressed concern regarding access to the trainjng room\nlocated on the second noar of Building 606. The Crime Lab Manager reviews all law\nenforcement requests for the lise oflhe training room. Although the room is outside both\nadministrative and lab space of the Crime Lab, the Crime Lab Manager has infonncd all\ntraining coordinators of thc Crime Lab\'s securi ty policy. The Crime Lab Manager advises\nall Cri me Lab personnel in advance of scheduled training events. The Crime Lab\nManager meets with all presenters and conducts additional security inspections on the\ndates of such events to ensure adherence to Crime Lab securi ty measures. Although\nattendees are sworn law enforcement officers, their access to Crime Lab ad mini strative or\nlab space is prevented by security inspections, electroni c key card devices and\ncombinati on locks.\n\n   The San Francisco Poli ce Department Crime Lab wi ll work with the FBI based their\nreview.\n\n\n\nSincerely,\n\n\n\n\nLt. Daniel Perea\nCrime Lab Manager\nSan Francisco Police Department Crime La boratory\n\n\n\n\n                                            - 32 - \n\n\x0c                                                                                        APPENDIX IV\n\n\n         DEPARTMENT OF JUSTICE RESPONSE\n\n\n\n\n\n                                                    U.S. Depntmut of .JU ltice\n\n\n                                                    Federal Bureau of Invest;s.,;on\n\n\n                                                    Wasbi_. D. C. 205)HIOOI\n\n                                                    September 26. 2011\n\n\n\n\nDavid J. Gaschke\nRegional Audit Manager\nSan Francisco Regional Audit Office\nOffice of the Inspector General    \xe2\x80\xa2\n1200 Bayhlll Drive, Suite 20 1\nSan Bnmo, CA 94066\n\nDear Mr. Gaschke:\n\n               YoW" memorandum to Director Mueller forwarding the draft report of the audit\nconducted at the San Francisco Police Department Crime Laboratory, San Francisco, California\n(Laboratory) has been referred to me-for response.\n\n               YoW" draft report contained two recommendations relating to the Laboratory\'s\ncompl iance with the FBI\'s Memorandum of Understanding and Quality Assurance Standardsfor\nDNA Testing Laboratories. The CaDIS Unit has reviewed yoW" draft report and offers the\nfollowin8 comments.\n\n              With respect to recommendation one relating to routine perfonnance and\nmaintenance of coors server back-ups, the Laboratory utilizes a .roftware program. to back-up\nits COOlS server daily and those back-up data cartridges are now stored at a secure, off-site\nlocation monthly. The CaDIS Unit is satisfied that the Laboratory is securely storing its server\nback-ups more routinely. The COOlS Unit supports closure of thIS recommendation.\n                With respect 10 recommendation two relating to lUlauthorized access, the FBI has\nrecommended that the Laboratory post a sign on the intemal doors to the DNA laboratory\nindicating that they must remain closed and not propped opened. The Laboratory is considering\nthe FBI\'s recommendation.\n\n                Thank you for sharing the draft audit report with us. If you have any questions,\nplease feel free to contact Jennifer C. Luttman. C hief of the COOlS Unit, at (703) 632-8315.\n\n                                                     Sincerely,\n\n                                                     ~~\n                                                     Alice R. lsen~, Ph.D\n                                                       0\n                                                     Section Chief\n                                                     Biometrics Analysis Section\n                                                     FBI Laboratory\n\n\n\n\n                                              - 33 - \n\n\x0c                                                             APPENDIX V\n\n              OFFICE OF THE INSPECTOR GENERAL\n\n             ANALYSIS AND SUMMARY OF ACTIONS\n\n               NECESSARY TO CLOSE THE REPORT\n\n\n      The OIG provided a draft of this audit report to the SFPD Laboratory\nand the FBI. Individual responses from the SFPD Laboratory and the FBI are\nincorporated in Appendices III and IV, respectively. The following provides\nthe OIG analysis of the responses and summary of actions necessary to\nclose the report.\n\nRecommendation Number:\n\n1.\t Resolved. In its response to our draft audit report, the SFPD\n    Laboratory stated that its Forensic Biology Unit backs up its CODIS\n    server and associated data on a daily basis using a software program,\n    called Symantec Backup. This procedure and the SFPD Laboratory\xe2\x80\x99s use\n    of a back-up software was not communicated to us during our audit\n    fieldwork or at our exit conference. During our audit, the CODIS\n    Administrator stated that the SFPD Laboratory was uploading its\n    forensic profiles to California\xe2\x80\x99s SDIS laboratory on a weekly basis and\n    SFPD Laboratory officials regarded these weekly uploads as being\n    similar to the SFPD Laboratory locally backing up its CODIS data. As we\n    stated in our report, the Laboratory\xe2\x80\x99s weekly uploads to California\xe2\x80\x99s\n    SDIS Laboratory do not constitute the required weekly local back-ups of\n    the SFPD Laboratory\xe2\x80\x99s CODIS server. After we obtained the SFPD\xe2\x80\x99s\n    response to our report, we contacted the SFPD Laboratory to determine\n    whether the daily back-up procedures were new or whether they were in\n    place during our audit. We were told by the CODIS Administrator that\n    the daily back-ups and use of a software program were in place during\n    our audit. We added clarifications to our report to acknowledge the\n    SFPD Laboratory\xe2\x80\x99s new statements pertaining to its back-up procedures.\n\n    In addition, the SFPD Laboratory\xe2\x80\x99s response stated that its Forensic\n    Biology Unit physically backs up data to cartridges and stores those\n    cartridges at an alternate secure physical location. The SFPD\n    Laboratory acknowledged that it was moving these data cartridges to an\n    offsite secure location on a quarterly basis instead of on a monthly\n    basis, as required by FBI policy. However, the SFPD Laboratory stated\n    in its response that the CODIS Administrator will ensure data cartridges\n    are stored at a secure, offsite location on a monthly basis, which is more\n    frequent than its quarterly schedule that we identified during our audit.\n\n\n                                   - 34 \xc2\xad\n\x0c     The FBI stated that its CODIS Unit is satisfied that the SFPD Laboratory\n     is securely storing its server back-ups on a more routine basis as\n     indicated in the SFPD Laboratory\xe2\x80\x99s response, and it supports closure of\n     this recommendation. This recommendation can be closed when the\n     SFPD Laboratory provides us with evidence that it has formally adopted\n     its daily and monthly CODIS server back-up procedures as written\n     policy.\n\n2.\t Resolved. In its response to our draft audit report, the SFPD\n    Laboratory provided additional details of the circumstances that caused\n    multiple doors to be propped open during our tour of the SFPD\n    Laboratory. Specifically, the SFPD Laboratory\xe2\x80\x99s HVAC system\n    experienced a malfunction that resulted in an excessive supply of hot air\n    that needed to be dissipated. The SFPD Laboratory\xe2\x80\x99s Firearms Unit\n    Supervisor elected to open the two internal doors to disperse the heat\n    and stabilize the temperature for staff members that were working in\n    the Unit. Also, the building engineer was called to repair the\n    malfunctioning equipment. The SFPD Laboratory added that during this\n    event, all interior and exterior points of entry and exit were protected by\n    security measures, the Firearms Unit staff was present and conducting\n    casework in the area, and that security of the Firearms and DNA\n    Analysis Units were not compromised. As stated in our report, SFPD\n    Laboratory management explained to us when we were on-site that the\n    series of propped open doors was an infrequent occurrence.\n\n     Although we understand that the SFPD Laboratory had experienced a\n     temperature issue, we continue to have concerns related to the security\n     vulnerabilities caused by multiple doors being propped open because\n     this appears to have been an issue in the past. According to the\n     September 2010 ASCLD/LAB Interim Inspection Report, the SFPD\n     Quality Assurance Manager stated that she had observed propped open\n     doors to the building and laboratory prior to November 2009 when the\n     Laboratory\xe2\x80\x99s proximity card access system was installed. 23 The\n     ASCLD/LAB inspectors did not observe propped doors and stated in the\n     September 2010 report that the Laboratory was meeting the security\n     requirements of ASCLD/LAB. However, due to vulnerabilities associated\n     with propped doors, even if it occurs on an infrequent basis, and in\n\n       23\n          According to the September 2010 ASCLD/LAB Interim Inspection Report,\nASCLD/LAB inspectors visited the SFPD Laboratory in August 2010 to investigate concerns\nabout the Laboratory, including allegations of possible unrestricted access that were raised\nin an anonymous letter.\n\n       ASCLD/LAB, Interim Inspection Report San Francisco Police Department\nCriminalistics Laboratory (September 2010), 1-3.\n\n\n                                           - 35 \xc2\xad\n\x0cconsideration of these prior issues, we believe it is appropriate for the\nSFPD Laboratory to remedy the security issue found during our review.\n\nThe SFPD Laboratory also provided a response to our concern of\npossible unauthorized access by individuals visiting the training room\nlocated on the second floor of its facility. The SFPD Laboratory stated\nthat the Crime Laboratory Manager reviews all law enforcement\nrequests for the use of the training room and informs all training\ncoordinators of the Laboratory\xe2\x80\x99s security policy. The SFPD Laboratory\nManager advises all SFPD Laboratory personnel of upcoming training\nevents, meets with training facilitators in advance of scheduled training\nevents, and conducts additional security inspections on the dates of\nsuch events to ensure adherence to security policies and procedures.\nThe SFPD Laboratory clarified that attendees are sworn law enforcement\nofficers, but their access to the SFPD Laboratory\xe2\x80\x99s administrative or\nlaboratory space is prevented by security inspections, electronic key\ncard devices, and combination locks. We recognize that the SFPD\nLaboratory has a protocol in place to address security matters that may\narise when training courses are held, and we do not feel that trainees\xe2\x80\x99\naccess to the training room on the second floor is an issue. Rather, we\nare concerned that given our observation of propped open doors to the\nSFPD Laboratory\xe2\x80\x99s DNA Analysis Unit, there is a potential for persons\nnot affiliated with the Laboratory to enter this space when no Laboratory\npersonnel are present to prevent unauthorized access.\n\nThe FBI suggested in its response that the SFPD Laboratory post a sign\non the internal doors to its DNA Analysis Unit indicating that they must\nremain closed and not be propped open. This recommendation can be\nclosed when the SFPD Laboratory provides evidence that it has\nenhanced security measures against unauthorized access to its DNA\nAnalysis Unit.\n\n\n\n\n                               - 36 \xc2\xad\n\x0c'